Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!uakari.primate.wisc.edu!aplcen!boingo.med.jhu.edu!haven.umd.edu!uvaarpa!murdoch!astsun7.astro.Virginia.EDU!gl8f From: gl8f@astsun7.astro.Virginia.EDU (Greg Lindahl) Newsgroups: comp.org.eff.talk Subject: Re: Student suspended for distributing /etc/passwd Message-ID: <1991Jun12.055211.24457@murdoch.acc.Virginia.EDU> Date: 12 Jun 91 05:52:11 GMT References: <1991Jun11.221521.14402@athena.cs.uga.edu> <1991Jun12.011740.20751@murdoch.acc.Virginia.EDU> <1991Jun12.042513.20870@athena.cs.uga.edu> Sender: usenet@murdoch.acc.Virginia.EDU Organization: Department of Astronomy, University of Virginia Lines: 29 In article <1991Jun12.042513.20870@athena.cs.uga.edu> mcovingt@athena.cs.uga.edu (Michael A. Covington) writes: >I wasn't being sarcastic, but I certainly _would_ consider intent. >But a student who wants to run Cops for a legitimate reason should >seek permission _first_, preferably. Why should he seek permission from you? Do you only allow students to run programs which are pre-approved? Is this your announced policy? Or, do you feel yourself qualified to decide legal matters, on par with a state or federal judge? I'm not trying to be rude, well, actually, I am being a little rude, but I am trying to illustrate a point. Normal environments generally believe in "innocent until proven guilty." Academic environments are allegedly supposed to encourage learning. I don't think this sort of policy is helping either. As a student I never felt the need to ask before committing actions that were legal and ethical. If you have many passwords that can be trivially broken using COPS, then the system administration down there isn't what I would consider good. It's my job as system administrator to make sure I don't leave obvious holes in my systems, and you may be leaving yourself open to negligence charges and/or lawsuits if someone breaks in and reads mail, for example. I'm not a lawyer, but I do know how my job should be done. Finally, if you're in such a lather about you leaving your own /etc/passwd world-readable, use shadow passwords and avoid the entire issue. Peace and quiet beats the opposite any day of the week.